The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

Source: Backyard Productions via Alamy Stock Photo

Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured.

So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters.

The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are more plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government's General Services Administration, called GSAi.

Related:How Public & Private Sectors Can Better Align Cyber Defense

DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. The comments below were gathered from cybersecurity law and policy expert Stewart Baker; Evan Dornbush, former NSA cybersecurity expert; and Willy Leichter, chief marketing officer with AppSOC.

**Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?**

Stewart Baker: Of course DOGE's rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. The rule for software design is "fast, secure, and cheap — pick any two." Elon Musk has achieved enormous success in business by eliminating procedures and organizations and parts that the experts said were essential.

He's running Twitter/X with one-fifth the employees it had before he took over. He has dramatically simplified rocket design, enabling faster manufacturing and turnaround. So it's no surprise he'd want to challenge and ignore a lot of government rules, including those that protect information security. But the security rules protect against active adversaries. Taking shortcuts that seem sensible to smart guys in a hurry could lead to serious problems down the road, and it may take us a while to realize the damage. 

Related:President Trump to Nominate Former RNC Official as National Cyber Director

Musk's impatience is understandable, though. I'm sure that there are employees using the security rules to slow him down or thwart him entirely. It's important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay.

Evan Dornbush: It's quite reasonable for people to be concerned, even alarmed, at how DOGE is currently operating. For any organization, the process of securing data is often developed over years, taking in myriad perspectives to ensure confidential data is minimally accessible, and that logging can recreate a picture of accessed data, or data in transit, when required.

Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. The arrogance, deliberate ignorance, malevolence, and sheer stupidity of this gang of untrained and unaccountable hackers roaming sensitive government networks is staggering. If this type of activity happened in the private sector, with this level of highly sensitive and regulated information, we would be talking about massive fines and personal criminal liability for all the actors involved.

Related:Content Credentials Technology Verifies Image, Video Authenticity

This could not be happening at a more precarious time for government cybersecurity. China and other countries have been ramping up attacks, already targeting many of the same networks, stealing data and planting the tools to cripple our critical infrastructure. Putting this data in inexperienced and reckless hands, while dismantling defense systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will inevitably have disastrous consequences. The only questions are whether this will cost us billions versus trillions in losses, and whether it will take years versus decades to recover.

**Question 2: What has DOGE done specifically that causes you concern?**

Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Given all the other sources of information about individuals, reconstructing full names is something a hostile foreign service would seek to do, so they'll be trying to intercept the list of names. My question is why DOGE thinks that's a risk worth taking? Will the list of names do DOGE any good? I assume the request was tied to possible layoffs at the CIA, but did DOGE really need the names to decide who to lay off? If not, this was an unnecessary risk and irresponsible.

Dornbush: Lack of transparency. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. It is unclear if anyone from DOGE is even replying. Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. Even if it is ultimately determined that DOGE does have authorization to access this data, \[if\] it has physically removed the data from these hardened and professionally monitored networks, how is DOGE ensuring the data is responsibly protected from its own compromise or disclosure? How is it able to certify that the data is destroyed once it is no longer required?

Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one.

These include forcing entry to restricted and classified systems without proper authorization. Officials doing their sworn duty to prevent this were put on administrative leave. DOGE members were also given excessive access to sensitive systems that went far beyond what was necessary for their advisory roles. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.

Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, \[and were provided\] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked.

**Question 3: What do you think needs to happen to secure the data in DOGE custody?**

Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Judicial rulings that try to protect the data by denying DOGE access should be lifted.

Dornbush: DOGE securing the data is an impossibility. DOGE is newly formed. The data it is looking at sat behind years of accumulated people, products, and policy that specialize only in the security of that data set. Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful. If you want to see this data, fine. Work from the office.

Leichter: It's probably impossible to undo this type of damage. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. All of this seems highly unlikely, as the administration is deliberately disabling as much of the federal government as possible and replacing highly trained experts with incompetent political hires.

**Question 4: What are you paying attention to most regarding DOGE and its information security strategy?**

Baker:  I'm still waiting to hear what DOGE's infosec strategy and commitments are.

Dornbush: What DOGE is purportedly doing is important and has merit. I'd love to know what the infosec strategy is. Right now, it seems like sharing the security steps they are taking with the public is not a priority.

Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only discernable strategy of DOGE and the administration is to dismantle as much of the government as quickly as possible, purging experience, which they seem to view as a liability.

The only question is how quickly judicial intervention can kick in and whether it will be ignored. The one thing that might influence this administration is widespread public condemnation after the next major security incident, which is probably lurking right around the corner. That’s a terrible security strategy.

Would you like to weigh in on any of the above four questions? If so, please send a note to \[email protected\] to be included in a follow-up story with reader reactions.

Roundtable: Is DOGE Flouting Cybersecurity for US Data?

With investment in cybersecurity capabilities and proactive measures to address emerging challenges, we can work together to navigate the complexities of combating cybercrime.

Chris Henderson, Senior Director of Threat Operations, Huntress

February 13, 2025

5 Min Read

Source: wsf AL via Alamy Stock Photo

COMMENTARY

Cybercrime isn't just an inconvenience — it's a serious threat capable of disrupting essential infrastructure, endangering public safety, and shaking the foundations of our financial systems and economy.

We've all seen the headlines in recent years — from a cyberattack on an energy pipeline that disrupted the fuel supply across parts of the US to a large-scale ransomware attack on a health insurance provider that led to a massive leak of personal data. Uncovering and combating cybercrime remains a complex challenge for many reasons, but chief among them is the disconnect in data collection, sharing, and collaboration between the public and private sectors.

Critical infrastructure, essential utilities like power and water, local municipalities and services (think 911 and EMS), small and midsize businesses, and healthcare — not one of these is off-limits to cybercriminals. And as threat actors become more aggressive, our defenses must keep up.

**Plenty of Red Tape, but No Clear Defenses**

The US government has a duty to take the lead in defending the nation against cybercrime. But while there's been some progress over the past few decades toward stronger national leadership on cybersecurity, the truth is that there's been a lot of added red tape with no clear responsible party.

Over the past 25 years, organizations like the FBI's Internet Crime Complaint Center (IC3), the National Cyber Investigative Joint Task Force (NCIJTF), and the Cybersecurity and Infrastructure Security Agency (CISA) have been created. They're producing valuable alerts and educational resources on growing cyber threats. That's all great, except for one thing. Despite decades of progress on building federal alignment around cybersecurity as a key priority, there's still no clear voice leading the charge. Meanwhile, cybercriminals are staying one step ahead, moving faster and more strategically than the agencies tasked with safeguarding citizens' cybersecurity.

That brings us to March 2024, when the Foundation for Defense of Democracies (FDD) released a report calling for the creation of a stand-alone military Cyber Force. This team would run Pentagon cyber-defense efforts from within the Department of the Army and help set the stage for a more unified defense strategy over the next five to 10 years. The report is rooted in feedback from over 70 active and retired military cyber experts who all seem to agree on one thing: Cybercrime poses a serious and growing threat to national security, and it's time to do something about it.

**Closing the Gap**

At the highest levels of government, the US has made a strong push to identify, address, and communicate emerging and critical cyber threats. And now, it's on both the public and private sectors to bridge the gap and work together. But the big question we've yet to fully address is whether there's sufficient collaboration between the public and private sectors and if our response times are suffering because of it.

Take March 2021, for example. Microsoft flagged that a hacking group exploited multiple zero-day vulnerabilities targeting Microsoft Exchange Server software. A month later, the Justice Department stepped in with a court-authorized effort to disrupt ongoing exploitation. And the patches? Those finally rolled out another month later, after cybercriminals had plenty of time to exploit the vulnerabilities and infiltrate organizations.

Fast forward to the ConnectWise ScreenConnect vulnerability that surfaced last year. This time, the private sector was ahead of the game, with guidance and fixes hitting the headlines quickly. But, when it came to government action, CISA issued its advisory days after the vulnerability was announced.

Progress has definitely been made over the past two decades — there's no denying that. But there's still room to tighten the partnership between public and private sectors regarding cybersecurity. So, how do we achieve that?

**Building Future Defenses That Command Respect**

To build stronger defenses for the future, we need to respond to these kinds of incidents in minutes and hours — not days, weeks, or months. There has to be a faster, simpler way for leaders from both the public and private sectors to connect, share insights, and issue clear instructions for vulnerabilities, patches, and more.

I've pinpointed five key areas that, in my opinion, need serious attention to improve collaboration between public and private sectors:

1.  Insights: If we unify data collection, analysis, and sharing, we can give policymakers and practitioners a clearer picture of cybercrime — its scope, its patterns, and where to hit back with precision.
    
2.  Data: Taking that one step further and sharing more data between agencies and the private sector would make a tangible difference in how prepared organizations and municipalities are for known and emerging vulnerabilities.
    
3.  Policy and legislation: Here's a practical one — streamline classification processes. Using a common language for cybercrimes would cut down on miscommunication and confusion.
    
4.  Collaboration: Create task forces between government and industry that scale to the highest levels of government and the gravest threats, responding in a coordinated, powerful way.
    
5.  Hacking back: There are pros and cons to this option, but I'd like to see the federal government explore how to build skills to hack the hackers, and somewhat importantly, what the rules of engagement would be for companies and local governments. The notion has been introduced to the government, but to date, no laws have been passed yet to push it forward.
    

The fight against cybercrime is constantly evolving, and keeping up will take all of us working together and thinking creatively. Recent initiatives prove that when we harness technology, coordinate effectively, and build stronger public-private partnerships, we can significantly bolster our defenses, reducing the impact of cybercrime on individuals and institutions. It's no easy task — staying ahead requires vigilance, adaptability, and a willingness to tackle uncharted challenges. But together, through collaboration and determination, we can tackle cybercrime challenges head-on, creating a safer and more secure future for everyone.

**About the Author**

Senior Director of Threat Operations, Huntress

Chris Henderson runs Threat Operations and Internal Security at Huntress. He has been securing MSPs and their clients for more than 10 years through various roles in software quality assurance, business intelligence, and information security.

How Public &amp; Private Sectors Can Better Align Cyber Defense

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the United Kingdom, and key sectors since 2021.

A hacking group with links to Russian intelligence has been silently compromising computer networks worldwide, including those in the United States and the United Kingdom, by taking advantage of known security vulnerabilities in widely used software.

This was revealed by Microsoft’s Threat Intelligence team on Wednesday, which has been tracking the activities of a subgroup within “Sandworm,” (aka Seashell Blizzard, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.), a hacking group tied to Russia’s GRU military intelligence unit. This subgroup, which Microsoft calls the “BadPilot campaign,” has been breaching networks since at least 2021 by exploiting vulnerabilities in internet-facing systems.

The hackers have been targeting a variety of sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and even government organizations. Initially, their focus was on Ukraine, Europe, and parts of Asia and the Middle East. However, since early 2024, they have expanded their operations to include the U.S. and the U.K.

Their methods involve exploiting publicly known vulnerabilities in software like ConnectWise ScreenConnect, used for remote IT management, and Fortinet FortiClient EMS, a security software. By gaining an initial foothold through these weaknesses, the hackers can then move deeper into the network, steal credentials, and ultimately gain control of valuable systems. Here are the security vulnerabilities that Microsoft found being exploited by the group:

*   OpenFire (CVE-2023-32315)
*   JBOSS (exact CVE is unknown)
*   Microsoft Outlook (CVE-2023-23397)
*   Microsoft Exchange (CVE-2021-34473)
*   Zimbra Collaboration (CVE-2022-41352)
*   JetBrains TeamCity (CVE-2023-42793)
*   Fortinet FortiClient EMS (CVE-2023-48788)
*   Connectwise ScreenConnect (CVE-2024-1709)

Microsoft believes that while some of the targets seem random, these widespread breaches give Russia options to respond to changing strategic goals. Since the start of the war in Ukraine, Russian-aligned hackers have been increasingly targeting international organizations that provide support to Ukraine or are of geopolitical importance. The subgroup is also thought to be connected to destructive cyberattacks in Ukraine since 2023.

Microsoft’s research reveals that this subgroup is not just about gaining access; it’s about maintaining it. Once inside a network, they deploy tools such as remote management software (RMM) and web shells to ensure long-term control.

For instance, by installing legitimate RMM agents like Atera Agent and Splashtop Remote Services, they can mimic authorized activity, making detection more challenging. The group is also known for web shell deployment, credential harvesting and DNS manipulation

Additionally, the use of custom utilities like ShadowLink, a tool that configures compromised systems as hidden services on the Tor network, further complicates efforts to trace their activities.

Seashell Blizzard’s attack chart (Via Microsoft)

****Who Is Sandworm?****

Linked to Russia’s military intelligence agency GRU, specifically Unit 74455, Sandworm is notorious for conducting disruptive cyberattacks. Their history includes incidents like the NotPetya attack in 2017, which caused billions in damages worldwide, and the FoxBlade operation in 2022, targeting Ukraine’s infrastructure.

Industry experts are raising alarms about the implications of these findings. “This discovery is alarming for UK organisations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks,” warns Simon Phillips, CTO of SecureAck.

Even though the subgroup exploits publicly known vulnerabilities, their post-compromise tactics are becoming more advanced. The emergence of BadPilot only makes it harder to detect the activities of these already well-equipped and highly skilled Russian hackers.

That’s why organizations of all sizes must stay alert and aware of this and other cybersecurity threats. Employee training and additional security measures can help prevent breaches, even if they can’t completely stop Seashell Blizzard.

Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK

Scammers are once again using AI to take over Gmail accounts.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

> “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

**How to avoid AI Gmail phishing**

*   Never click on links or download files from unexpected emails or messages.
*   Don’t enter personal information on a website unless you are certain it is legitimate.
*   Use a password manager to autofill credentials only on trusted sites.
*   Monitor your accounts for signs of unauthorized access or data leaks.
*   Verify security alerts by visiting your Google Account page directly instead of using links in emails.
*   Use multi-factor authentication (MFA) for all accounts
*   Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 How AI was used in an advanced phishing campaign targeting Gmail users 

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

Title: ABB Cylon FLXeon 9.3.4 Session Persistence Vulnerability  
Advisory ID: ZSL-2025-5922  
Type: Local/Remote  
Impact: Security Bypass  
Risk: (4/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_sess1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189233/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 Session Persistence Vulnerability

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

Title: ABB Cylon FLXeon 9.3.4 Default Credentials  
Advisory ID: ZSL-2025-5919  
Type: Local/Remote  
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS  
Risk: (5/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx)  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_default1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189230/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 Default Credentials

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

Title: ABB Cylon FLXeon 9.3.4 (app.js) Insecure CORS Configuration  
Advisory ID: ZSL-2025-5921  
Type: Local/Remote  
Impact: Cross-Site Scripting, Security Bypass  
Risk: (3/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('\*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_cors1.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189232/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (app.js) Insecure CORS Configuration

An authenticated attacker can access sensitive information via the system logs page of ABB Cylon FLXeon controllers. The logs expose critical data, including the OpenSSL password for stored certificates. This information can be leveraged for further attacks, such as decrypting encrypted communications, impersonation, or gaining deeper system access.

Title: ABB Cylon FLXeon 9.3.4 (cert.js) System Logs Information Disclosure  
Advisory ID: ZSL-2025-5920  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

An authenticated attacker can access sensitive information via the system logs page of ABB Cylon FLXeon controllers. The logs expose critical data, including the OpenSSL password for stored certificates. This information can be leveraged for further attacks, such as decrypting encrypted communications, impersonation, or gaining deeper system access.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_log1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48852  
\[3\] https://packetstorm.news/files/id/189231/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel